Book a Briefing
by Mojave Research

CMMC Phase 2 Countdown: What November 2026 Means for Your Contracts

Phase 2 begins November 10, 2026 — one calendar year after Phase 1 start on November 10, 2025. Here’s what the phased rollout changes for Level 2 contracts and how to plan without relying on unverified market stats.

What Changes on November 10, 2026?

Phase 1 began on November 10, 2025 (the effective date of the DFARS final rule implementing the CMMC acquisition requirements — see our Phase 1 briefing for what that means today). Phase timing is defined in 32 CFR 170.3(e).

What changes with Phase 2 is the model for Level 2 status in applicable awards: Phase 2 begins one calendar year after Phase 1 starts, and DoD intends to include Level 2 (C3PAO) status as a condition of contract award for applicable solicitations and contracts.

Phase 2 also allows DoD, at its discretion, to include Level 3 (DIBCAC) status for applicable solicitations and contracts. Phase 3 and Phase 4 continue the phase-in over the following two years.

The three dates that matter:

  • November 10, 2025 — Phase 1 start (DFARS final rule effective date).
  • November 10, 2026 — Phase 2 start (one calendar year after Phase 1).
  • November 10, 2027 — Phase 3 start (one calendar year after Phase 2).

How Many Contractors Are Actually Ready?

If you see exact “ready / certified / verified” counts circulating in marketing copy, treat them as unverified unless they’re backed by an authoritative, reproducible source. For decision-making, the more reliable question is:

What CMMC status will your contract require — and when? The official requirement is set by the solicitation/contract (and any flow-down), and the phase-in timing is defined in regulation.

If you want a grounded “urgency” model: assume your schedule risk is dominated by scoping, documentation, evidence readiness, and third-party availability — and plan early.

What Does Phase 2 Mean for Subcontractors?

Here’s the part that catches people off guard. DFARS 252.204-7021 requires prime contractors to flow CMMC requirements down to subcontractors at every tier. Your prime doesn’t have a choice — it’s a contractual obligation, not a preference.

What this means in practice: primes are already auditing their supply chains. Subcontractors who can’t demonstrate CMMC readiness risk losing their positions — not because of a government enforcement action, but because their prime can’t afford the risk of a non-compliant sub dragging down their own certification.

The practical effect: primes will increasingly need subcontractors that can demonstrate the required CMMC status for the information they handle.

What Does CMMC Level 2 Actually Require?

Level 2 maps to NIST SP 800-171 (Rev. 2) requirements as incorporated and referenced by the CMMC program rule.

Each requirement needs documented policy, implemented procedures, and evidence of ongoing operation.

What Are Assessment Costs Running in 2026?

Costs vary significantly by scope (what’s in-scope for CUI/FCI), existing maturity, remediation effort, and the contract’s required CMMC status. DoD publishes cost assumptions and estimates in the CMMC final rule and associated analyses; treat any universal “price range” with skepticism.

Waiting makes everything more expensive. Assessment slots get scarcer. Remediation timelines compress. And the consultancies that actually know what they’re doing fill their calendars first.

What Should Contractors Do Right Now?

Start with the work that takes the longest: scoping your CUI boundary, documenting your System Security Plan, and identifying your control gaps. These aren’t tasks you can rush in 30 days. CUI scoping alone — understanding exactly where controlled information lives in your email, file shares, backup systems, collaboration tools, and print queues — is the single highest-impact activity for reducing assessment cost and complexity.

Here’s a realistic sequence:

  1. Scope your CUI environment. Define exactly which systems process, store, or transmit CUI. Over-scoping drives up cost; under-scoping creates compliance gaps.
  2. Run a gap analysis against NIST 800-171 Rev 2. Identify where you stand on each of the 110 requirements. Be honest — assessors will be.
  3. Build a remediation plan with real deadlines. Not a PDF that sits in a SharePoint folder. A plan with owners, milestones, and completion criteria.
  4. Engage early with your prime and stakeholders. Align on the required CMMC status, scope, and evidence expectations well before the award decision point.

Our team has a CMMC Registered Practitioner on staff and is onboarding engagements now. A 30-minute readiness triage will tell you exactly where you stand and what it takes to be assessment-ready before Phase 2. Start with our CMMC practice page for the delivery model and readiness snapshot, or see our full capabilities for procurement pathways.

Sources